How to Install Security Patches on Magento 2 Websites

Magento 2 security patches

Do You Really Need to Patch Your Magento 2 Installation?

In about a week, May 25, 2018, new GDPR regulation will be released. It’s a brand new set of data security standards from EU legislators that will affect all international Magento stores. Ecommerce websites will be required to collect, store, and manage other people’s data using higher safety standards. In order to help you fully comply with the new regulation, we’ve decided to create a quick guide how to keep your Magento store secure and up-to-date.

It’s estimated that in 2018 more than 250,000 online stores run Magento. Because Magento is so popular, it gets attacked more often than other ecommerce websites.

And although the platform has a greater level of security than its competition, it’s significantly harder to install individual security updates on it. New security patches and updates come out roughly every few months. It is extremely important to install them early to keep your customers’ data safe.

How to Install Security Patches as an Upgrade to a New Magento Version

We highly recommend updating your Magento core as soon as possible. While individual security patches can keep you up with Magento security standards, upgrading to newer M2 versions is always a better option.

First, let’s see how you can install all security updates by upgrading to the newest Magento 2 version.

1. Updating Through Magento Marketplace

Authorize at the official Magento website. Log into the website at https://account.magento.com/customer/account/login or create a new account, it’s free.

Please note that if you have to create a new account you need to validate your email before you can download new updates and software.

  1. Once you are logged in, go to My Account –> Marketplace
  2. Find the Access Keys option under My Products
  3. Create a new Access Key and name it whatever you like
  4. Now move to the next step

2. Installation of a New Security Patch

Go to System –> Web Setup Wizard –> System Upgrade and paste your key there. This will give you full control over the upgrade options. Once used, your key will always work unless you disable or delete it on the Magento Marketplace website.

To finish the upgrade just follow the steps of Magento Installer.

How to Apply Magento Security Patches Without Upgrading to a New Magento Version

In case you need to apply security patches without upgrading to a new Magento version, the process is a bit more challenging. Here’s a step by step guide.

1. Back everything up. Then back up the backup

First things first. Before you start the update, get a backup of your files and databases. In case anything goes wrong you can roll back to square 1 and start again. Unlike when you upgrade Magento from the Admin Panel, this time you’ll have to manually back everything up before applying individual security patches.

To back up the files the old school way connect to your website using SFTP and download everything in there to your hard drive. Usually, your store will be located in /public_html/ folder, a standard for Apache server configurations.

Install Filezilla or any other popular FTP application to connect to your FTP server and do the backup.

To backup your Magento website database go to cPanel –> phpMyAdmin section and select and export all the databases that you see there.

If you don’t know how to access the cPanel or connect to your SFTP server please refer to your web hosting tech support.

2. Prepare to upgrade
  1. Install MageReport and look up what version of Magento 2 you are running.
  2. Once you know the exact version you have, log into your Magento account or create a new one to be able to download updates.
  3. Go to Magento security patches webpage and download the update that you miss. To select the right download option, check your Magento release in Admin Panel. It’s the record on the bottom left of your page. It should read something like “Copyright © 2018 Magento Commerce Inc. All rights reserved.” which means you need a Magento Commerce release.
  4. Connect to the directory where your website keeps its files. Remember we used SFTP to backup all the files? That’s the one you need to access again. Connect to SFTP and place your security patch files you just downloaded into the magento2 folder that is located at /public_html/ directory. Find  /data/ –> /web/ –> /magento2/ and upload your files there. The full path should look like this: /public_html/data/web/magento2/security-patch-1.sh

3. Install a New Security Patch for Magento 2

To install a new security update for Magento 2, you need a few extra tools. Windows users can download and install PuTTY to access SSH. Mac users can use the built-in Terminal app to do the same.

If you are unsure how to access your server using SSH or change permissions for different folders, your web hosting tech support can send you detailed instructions.

Once you are connected to the server, navigate to the /magento2/ folder where your patch is now located. In the command line run sh your_security_patch_name.sh to start the install.

So to clarify, if we want to install the patch we just uploaded (security-patch-1.sh) our actual commands will look like this:

cd /public_html/data/web/magento2/ (navigate to the required folder)

sh security-patch-1.sh (executes the security patch)

4. Flush Your Magento 2 Store Cache

In order to complete the installation and let the system build a new cache, we first need to get rid of the old one. Go to your Magento Admin Panel. Navigate to System –> Tools –> Cache Management and flush Magento 2 cache.

5. Check Your Results

Make sure everything works fine. Go to Magento bug tester to see if your web store is well protected.

Need Magento support?

Still having trouble with installing Magento 2 updates? Contact Aitoc team and we can help you out with resolving software conflicts, preparing the server environment, and optimizing your Magento 2 website performance.

Aitoc Team
Aitoc is a young team of passionate professionals delivering robust Magento 2 extensions. Founded in 2001, Aitoc has produced over 100 modules for clients worldwide. The company continuously evolves, now offering a full range of custom ecommerce development services.

Comments

comments